Feature to ban certain dependencies

[ash211]

What happened?

Occasionally I want to ban a dependency in a repo, and fail gradle checks if it appears in versions.lock.

For example, if I've spent some work to migrate off of a problematic library, I'd like to then add it to a banned list to make sure that it doesn't sneakily re-appear in a repo as a result of some auto-upgrade bump. In my example it's a certain maven coordinate, not a specific version of a coordinate.

What did you want to happen?

Some way to provide a list of deps that cannot be depended on, directly or transitively. For example:

dependencies {
  banned {
    module('com.sun.jersey:jersey-server') {
      because 'Unwanted reason x'
    }
    module('org.glassfish.jersey.core:jersey-server') {
      because 'Unwanted reason y'
    }
    module('ch.qos.logback:logback-core') {
      because 'Unwanted reason z'
    }
  }
}

[iamdanfox]

What about this: https://docs.gradle.org/current/userguide/rich_versions.html

    dependencies {
        constraints {
            rootConfiguration 'ch.qos.logback:logback-core', {
                version { reject() }
                because ' ... explanation ... '
            }
        }

[ash211]

I couldn't get that to work (check still passed despite a violating entry in versions.lock), but got this to do a similar thing in /build.gradle:

tasks.register('checkVersionLock') {
    doLast {
        def lockFilePath = "${projectDir}/versions.lock"
        def lockFile = new File(lockFilePath)
        if (!lockFile.exists()) {
            throw new GradleException("The versions.lock file does not exist.")
        }

        def unwantedDependencies = [
          'ch.qos.logback:logback-core',
          // add more to this list..
        ]

        def lines = java.nio.file.Files.readAllLines(java.nio.file.Paths.get(lockFilePath))
        def foundUnwantedDependencies = lines.findAll { line ->
            unwantedDependencies.any { invalidString -> line.startsWith(invalidString) }
        }

        if (!foundUnwantedDependencies.empty) {
            throw new GradleException("The versions.lock file contains invalid lines: \n\n${foundUnwantedDependencies.join('\n')}")
        }
    }
}

tasks.named('check') {
    dependsOn('checkVersionLock')
}

It mostly does what I want, and the only difference is that I've found something where I'm fine with using it in a test source set but not the main source set. So I'd like to ban from all main source sets, but allow in the test one.

[ash211]

Update: I got something working on GPT-o1's suggestion:

afterEvaluate { proj ->
    configurations.all {
        resolutionStrategy {
            eachDependency { details ->
                if (details.requested.name.endsWith("-api-dialogue")) {
                    throw new GradleException("""
                            ${proj.name} is not allowed to depend on ${details.requested.group}:${details.requested.name}.
                            This would impose unnecessary pdep requirements on downstream projects.
                        """.stripIndent())
                }
            }
        }
    }
}